Better get used to routine loss of personal privacy

Bruce Schneier
Minneapolis Star Tribune, December 21, 2003

At a gas station in British Columbia, two employees installed a camera in the ceiling in front of an ATM machine. They recorded thousands of people as they typed in their PIN numbers. Combined with a false front on the ATM that recorded account numbers from the cards, the pair were able to steal millions before they were caught.

In at least 14 Kinko's copy shops in New York City, Juju Jiang installed keystroke loggers on the rentable computers. For over a year he eavesdropped on people, capturing more than 450 user names and passwords and using them to access and open bank accounts online.

A lot has been written about the dangers of increased government surveillance, but we also need to be aware of the potential for more pedestrian forms of surveillance. A combination of forces -- the miniaturization of surveillance technologies, the falling price of digital storage, the increased power of computer programs to sort through all of this data -- means that surveillance abilities that used to be limited to governments are now, or soon will be, in the hands of everyone.

Some uses of surveillance are benign. Fine restaurants sometimes have cameras in their dining rooms so the chef can watch diners as they eat his creations. Telephone help desks sometimes record customer conversations in order to help train their employees.

Other uses are less benign. Some employers monitor the computer use of their employees, including use of company machines on personal time. A company is selling an e-mail greeting card that surreptitiously installs spyware on the recipient's computer. Some libraries keep records of what books people check out, and Amazon keeps records of what books people browse on its Web site.

And, as we've seen, some uses are criminal.

This trend will continue in the years ahead, because technology will continue to improve. Cameras will become even smaller and more inconspicuous. Already some health clubs are banning cell phones from locker rooms because some contain miniature cameras.

Imaging technology will be able to pick up ever smaller details, and will be increasingly able to "see" through walls and other barriers. And computers will be able to process this information better. Today, cameras are just mindlessly watching and recording, but eventually sensors will be able to identify people. Photo IDs are just temporary; eventually no one will have to ask you for an ID because they'll already know who you are. Walk into a store, and you'll be identified. Sit down at a computer, and you'll be identified. I don't know if the technology will be face recognition, DNA sniffing or something else entirely. I don't know if this future is 10 years out or 20 -- but eventually it will work often enough and be cheap enough for mass-market use.

The upshot is that you should consider the possibility, albeit remote, that you are being observed whenever you're out in public. Assume that all public Internet terminals are being eavesdropped on; either don't use them or don't care. Assume that cameras are watching and recording you as you walk down the street. (In some cities, they probably are.) Assume that surveillance technologies that were science fiction 10 years ago are now mass-market.

What will happen at the health clubs when the cameras they are trying to ban become too small to notice?

This loss of privacy is an important change to society. It means that we will leave an even wider audit trail through our lives than we do now. And it's not only a matter of making sure this audit trail is accessed only by "legitimate" parties: an employer, the government, etc. Once data is collected, it can be compiled, cross-indexed, and sold; it can be used for all sorts of purposes. It can be accessed both legitimately and illegitimately. And it can persist for your entire life.

earlier essay: Are You Sophisticated Enough to Recognize an Internet Scam?
later essay: Risks of PKI: Secure E-Mail
categories: Privacy and Surveillance
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..